X-Loop: help-debbugs@HIDDEN
Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
Resent-From: Joshua Branson <jbranso@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 20 Jul 2021 05:24:01 +0000
Resent-Message-ID: <handler.49654.B.162675861318836 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 49654
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 49654 <at> debbugs.gnu.org
Cc: rg@HIDDEN
X-Debbugs-Original-To: guix-patches@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.162675861318836
(code B ref -1); Tue, 20 Jul 2021 05:24:01 +0000
Received: (at submit) by debbugs.gnu.org; 20 Jul 2021 05:23:33 +0000
Received: from localhost ([127.0.0.1]:60785 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m5iE2-0004tf-Sh
for submit <at> debbugs.gnu.org; Tue, 20 Jul 2021 01:23:33 -0400
Received: from lists.gnu.org ([209.51.188.17]:37330)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <jbranso@HIDDEN>) id 1m5iE1-0004tX-2X
for submit <at> debbugs.gnu.org; Tue, 20 Jul 2021 01:23:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58832)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <jbranso@HIDDEN>)
id 1m5iE0-0007Gl-P3
for guix-patches@HIDDEN; Tue, 20 Jul 2021 01:23:24 -0400
Received: from mx1.dismail.de ([78.46.223.134]:4621)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <jbranso@HIDDEN>)
id 1m5iDw-0000ua-RQ
for guix-patches@HIDDEN; Tue, 20 Jul 2021 01:23:24 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
by mx1.dismail.de (OpenSMTPD) with ESMTP id 3bdd7834;
Tue, 20 Jul 2021 07:23:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc
:subject:date:message-id:mime-version:content-type
:content-transfer-encoding; s=20190914; bh=HRPongJBC7M+ty3l+S6JC
+xyLy4bIdpneaV+hhzOc20=; b=e8ItYQ82qMWvE+0lWTqByo8scvtnkHE3Flx+F
+VBFmio3ne77pRyRKZewO9WQyZ2OXU3Wa4fIX9osa1o7nMRlBZhnfdR4QilPf/IF
OKXMalOf7CrBERVNu2Pp8CSJOxbovnYTO5iql2jua/95msXqCSZp998oihGbNRiC
ovVaSn9816U9DVjcxYRKmYtPi9Ve+Wk8H5mTjyMRdG+loWPYArrHbNmcbDki97GO
8Rt6/pDrHXLBCpmb5XdLCto9G1zNcsL0mD2hxafOOthwraIfwZphtKQgV3Q7kHhi
Sda/1yPJw7u7H9H4MKJbB4nGtqD7yG+ENtA9h2FBq/UxH5YtQ==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
by mx1.dismail.de (OpenSMTPD) with ESMTP id 7a8996c0;
Tue, 20 Jul 2021 07:23:10 +0200 (CEST)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
by smtp2.dismail.de (OpenSMTPD) with ESMTP id a6f64e62;
Tue, 20 Jul 2021 07:23:10 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id a79c3f92
(TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
Tue, 20 Jul 2021 07:23:08 +0200 (CEST)
From: Joshua Branson <jbranso@HIDDEN>
Date: Tue, 20 Jul 2021 01:22:24 -0400
Message-Id: <20210720052229.15438-1-jbranso@HIDDEN>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=78.46.223.134; envelope-from=jbranso@HIDDEN;
helo=mx1.dismail.de
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)
From: Joshua Branson <jbranso AT gnucode.me>
The original guide was written by Raghav Gururajan <rg@HIDDEN>
and edited by Joshua Branson <jbranso@HIDDEN>.
* doc/guix-cookbook.texi (System Configuration): New section of full disc
encryption via libreboot.
---
doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 724 insertions(+)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e627ecc51..ef8f3425d6 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christopher Lemmer Webber
Copyright @copyright{} 2021 Joshua Branson@*
+Copyright @copyright{} 2021 Raghav Gururajan@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1358,6 +1359,7 @@ reference.
* Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System.
* Guix System Image API:: Customizing images to target specific platforms.
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
+* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption
* Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
* Running Guix on a Linode Server:: Running Guix on a Linode Server
* Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
@@ -1938,6 +1940,728 @@ For more specific information about NetworkManager and wireguard
@uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see
this post by thaller}.
+@node Guix System with Full Disk Encryption
+@section Guix System with Full Disk Encryption
+@cindex libreboot, full disk encryption
+
+Guix System is an exotic distribution of GNU/Linux operating system,
+with Guix as package/system manager, Linux-Libre as kernel and
+Shepherd as init system.
+
+Libreboot is a de-blobbed distribution of Coreboot firmware. By
+default, Libreboot comes with GRUB bootloader as a payload.
+
+The objective of this manual is to provide step-by-step guide for
+setting up Guix System (stand-alone Guix), with Full Disk
+Encryption (FDE), on devices powered by Libreboot.
+
+Any users, for their generalized use cases, need not stumble away from
+this guide to accomplish the setup. Advanced users, for deviant use
+cases, will have to explore outside this guide for customization;
+although this guide provides information that is of paramount use.
+
+Let us begin!
+
+@menu
+* Create Boot-able USB::
+* Installing and Setup::
+* Tweaking Libreboot's Grub Payload::
+* Closing Thoughts::
+* Special Thanks::
+@end menu
+
+@node Create Boot-able USB
+@subsection Create Boot-able USB
+
+In the current GNU+Linux system, open terminal as root user.
+
+Insert USB drive and get the device letter @code{/dev/sdX}, where “X” is the
+device letter.
+
+@example
+lsblk --list
+@end example
+
+@example
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 223.6G 0 disk
+sda1 8:1 0 2M 0 part
+sda2 8:2 0 3.7G 0 part
+sda3 8:3 0 219.9G 0 part /
+zram0 251:0 0 512M 0 disk [SWAP]
+@end example
+
+
+Just in case the device is auto-mounted, unmount the device.
+
+@example
+umount /dev/sdX --verbose
+@end example
+
+Download the Guix System ISO installer package and it’s GPG signature;
+where @code{A.B.C} is the version number and @code{SSS} is the system
+architecture.
+
+@example
+wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz
+wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz.sig
+@end example
+
+Import the Guix's public key.
+
+@example
+gpg --verbose --keyserver pool.sks-keyservers.net –-receive-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
+@end example
+
+Verify the GPG signature of the downloaded package.
+
+@example
+gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig
+@end example
+
+Extract ISO image from the downloaded package.
+
+@example
+xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz
+@end example
+
+Write the extracted ISO image to the drive.
+
+@example
+dd if=guix-system-install-A.B.C.SSS-linux.iso of=/dev/sdX status=progress; sync
+@end example
+
+Reboot the device.
+
+@example
+reboot
+@end example
+
+@node Installing and Setup
+@subsection Installing and Setup
+
+On reboot, as soon as the Libreboot's graphic art appears, press "S"
+or choose @code{Search for GRUB2 configuration on external media [s]}. Wait
+for the Guix System from USB drive to load.
+
+Once Guix System installer starts, choose @code{Install using the shell
+based process}.
+
+Set your keyboard layout, where @code{lo} is the two-letter keyboard
+layout code (lower-case).
+
+@example
+loadkeys --verbose lo
+@end example
+
+Unblock network interfaces.
+
+@example
+rfkill unblock all
+@end example
+
+Get the names of network interfaces.
+
+@example
+ifconfig -v -a
+@end example
+
+@example
+enp0s25 Link encap:Ethernet HWaddr 00:1C:25:9A:37:BA
+ UP BROADCAST MULTICAST MTU:1500 Metric:1
+ RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:0 TX bytes:0
+ Interrupt:16 Memory:98800000-98820000
+
+lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Bcast:0.0.0.0 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:65536 Metric:1
+ RX packets:265 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:164568 TX bytes:164568
+
+wlp2s0 Link encap:Ethernet HWaddr E4:CE:8F:59:D6:BF
+ inet addr:192.168.1.133 Bcast:192.168.1.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:60084 errors:0 dropped:71 overruns:0 frame:0
+ TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:45965805 TX bytes:4905457
+
+@end example
+
+Bring the desired network interface (wired or wireless) up, where
+@code{nwif} is the network interface name.
+
+@example
+ifconfig -v nwif up
+@end example
+
+For wireless connection, follow the wireless setup.
+
+@menu
+* Wireless Setup::
+@end menu
+
+@node Wireless Setup
+@subsubsection Wireless Setup
+
+Create a configuration file using text editor, where @code{fname} is any
+desired name for file.
+
+@example
+nano fname.conf
+@end example
+
+Choose, type and save ONE of the following snippets, where ‘net’ is
+the network name, ‘pass’ is the password or passphrase and ‘uid’ is
+the user identity.
+
+For most private networks:
+
+@example
+network=@{
+ ssid="net"
+ key_mgmt=WPA-PSK
+ psk="pass"
+@}
+@end example
+
+(or)
+
+For most public networks:
+
+@example
+network=@{
+ ssid="net"
+ key_mgmt=NONE
+@}
+@end example
+
+(or)
+
+For most organizational networks:
+
+@example
+network=@{
+ ssid="net"
+ scan_ssid=1
+ key_mgmt=WPA-EAP
+ identity="uid"
+ password="pass"
+ eap=PEAP
+ phase1="peaplabel=0"
+ phase2="auth=MSCHAPV2"
+@}
+@end example
+
+Connect to the configured network.
+
+@example
+wpa_supplicant -B -c fname.conf -i nwif
+@end example
+
+Assign an IP address to the network interface.
+
+@example
+dhclient -v nwif
+@end example
+
+Obtain the device letter @code{/dev/sdX} in which you would like to deploy
+and install Guix System, where “X” is the device letter.
+
+@example
+lsblk --list
+@end example
+
+@example
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 223.6G 0 disk
+sda1 8:1 0 2M 0 part
+sda2 8:2 0 3.7G 0 part
+sda3 8:3 0 219.9G 0 part /
+zram0 251:0 0 512M 0 disk [SWAP]
+@end example
+
+Wipe the device (Ignore if the device is new).
+
+@example
+shred --verbose --random-source=/dev/urandom /dev/sdX
+@end example
+
+Load the device-mapper module in the current kernel.
+
+@example
+modprobe --verbose dm_mod
+@end example
+
+Partition the device. Follow the prompts. Just do, GPT --> New -->
+Write --> Quit; defaults will be set.
+
+@example
+cfdisk /dev/sdX
+@end example
+
+Obtain the partition number from the device, where “Y” is the
+partition number.
+
+@example
+lsblk --list
+@end example
+
+Encrypt the partition. Follow the prompts.
+
+@example
+cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
+--verify-passphrase --use-random --key-size 512 --iter-time 500 \
+luksFormat /dev/sdXY
+@end example
+
+Obtain and note down the UUID of the LUKS partition.
+
+@example
+cryptsetup --verbose luksUUID /dev/sdXY
+@end example
+
+Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
+and @code{partname} is any desired name for the partition.
+
+@example
+cryptsetup --verbose
+luksOpen UUID=luks-uuid partname
+@end example
+
+Create a physical volume in the partition.
+
+@example
+pvcreate /dev/mapper/partname --verbose
+@end example
+
+Create a volume group in the physical volume, where @code{vgname} is any
+desired name for volume group.
+
+@example
+vgcreate vgname /dev/mapper/partname --verbose
+@end example
+
+Create logical volumes in the volume group; where "num" is the number
+for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
+desired names for root and home volumes respectively.
+
+@example
+lvcreate --extents 25%VG vgname --name lvnameroot --verbose
+lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
+@end example
+
+Create filesystems on the logical-volumes, where @code{fsnameroot} and
+@code{fsnamehome} are any desired names for root and home filesystems
+respectively.
+
+@example
+mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
+mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
+@end example
+
+Mount the filesystems under the current system.
+
+@example
+mount --label fsnameroot --target /mnt --types btrfs --verbose
+mkdir --verbose /mnt/home && mount --label fsnamehome --target \
+/mnt/home --types btrfs --verbose
+@end example
+
+Create a swap file.
+
+@example
+dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
+mkswap --verbose /mnt/swapfile
+@end example
+
+Make the swap file readable and writable only by root account.
+
+@example
+chmod --verbose 600 /mnt/swapfile
+@end example
+
+Activate the swap file.
+
+@example
+swapon --verbose /mnt/swapfile
+@end example
+
+Install packages on the mounted root filesystem.
+
+@example
+herd start cow-store /mnt
+@end example
+
+Create the system-wide configuration files directory.
+
+@example
+mkdir --verbose /mnt/etc
+@end example
+
+Create, edit and save the system configuration file by typing the
+following code snippet. WATCH-OUT for variables in the code snippet
+and replace them with the relevant values.
+
+@example
+nano /mnt/etc/config.scm
+@end example
+
+The content of config.scm is:
+
+@lisp
+(use-modules
+ (gnu)
+ (gnu system nss))
+
+(use-package-modules
+ certs
+ gnome
+ linux)
+
+(use-service-modules
+ desktop
+ xorg)
+
+(operating-system
+ (kernel linux-libre-lts)
+ (kernel-arguments
+ (append
+ (list
+ ;; this is needed to flash the libreboot ROM. After, you
+ ;; have flashed your rom, it is a good idea to remove
+ ;; iomem=relaxed from your kernel arguments
+ "iomem=relaxed")
+ %default-kernel-arguments))
+
+ (timezone "Zone/SubZone")
+ (locale "ab_XY.1234")
+ (name-service-switch %mdns-host-lookup-nss)
+
+ (bootloader
+ (bootloader-configuration
+ (bootloader
+ (bootloader
+ (inherit grub-bootloader)
+ (installer #~(const #t))))
+ (keyboard-layout keyboard-layout)))
+
+ (keyboard-layout
+ (keyboard-layout
+ "xy"
+ "altgr-intl"))
+
+ (host-name "hostname")
+
+ (mapped-devices
+ (list
+ (mapped-device
+ (source
+ (uuid "LUKS-UUID"))
+ (target "partname")
+ (type luks-device-mapping))
+ (mapped-device
+ (source "vgname")
+ (targets
+ (list
+ "vgname-lvnameroot"
+ "vgname-lvnamehome"))
+ (type lvm-device-mapping))))
+
+ (file-systems
+ (append
+ (list
+ (file-system
+ (type "btrfs")
+ (mount-point "/")
+ (device "/dev/mapper/VGNAME-LVNAMEROOT")
+ (flags '(no-atime))
+ (options "space_cache=v2")
+ (needed-for-boot? #t)
+ (dependencies mapped-devices))
+ (file-system
+ (type "btrfs")
+ (mount-point "/home")
+ (device "/dev/mapper/VGNAME-LVNAMEHOME")
+ (flags '(no-atime))
+ (options "space_cache=v2")
+ (dependencies mapped-devices)))
+ %base-file-systems))
+
+ (swap-devices
+ (list
+ "/swapfile"))
+
+ (users
+ (append
+ (list
+ (user-account
+ (name "USERNAME")
+ (comment "Full Name")
+ (group "users")
+ (supplementary-groups '("audio" "cdrom"
+ "kvm" "lp" "netdev"
+ "tape" "video"
+ "wheel"))))
+ %base-user-accounts))
+
+ (packages
+ (append
+ (list
+ nss-certs)
+ %base-packages))
+
+ (services
+ (append
+ (list
+ (service gnome-desktop-service-type))
+ %desktop-services)))
+@end lisp
+
+Initialize new Guix System.
+
+@example
+guix system init /mnt/etc/config.scm /mnt
+@end example
+
+Reboot the device.
+
+@example
+reboot
+@end example
+
+@node Tweaking Libreboot's Grub Payload
+@subsection Tweaking Libreboot's Grub Payload
+@cindex grub payload
+
+On reboot, as soon as the Libreboot graphic art appears, press “C” to
+enter the command-line.
+
+Enter the following commands and respond to first command with the LUKS
+Key.
+
+@example
+cryptomount -u luks-uuid
+set root=(lvm/vgname-lvnameroot)
+@end example
+
+Upon Guix's GRUB menu, go with the default option.
+
+Enter the LUKS Key again, for kernel, as prompted.
+
+Upon login screen, login as "root" with password field empty.
+
+Open terminal.
+
+Set passkey for the "root" user. Follow the prompts.
+
+@example
+passwd root
+@end example
+
+Set passkey for the "username" user. Follow the prompts.
+
+@example
+passwd username
+@end example
+
+Install flashrom and wget.
+
+@example
+guix package –-install flashrom wget
+@end example
+
+Obtain the ROM chip's model and size. Look for the output line “Found
+[@dots{}] flash chip [@dots{}]”.
+
+@example
+flashrom --verbose --programmer internal
+@end example
+
+Download Libreboot ROM and utilities, where "YYYYMMDD" is the release
+date, @code{devmod} is the device model and "N" is the ROM chip size.
+
+@example
+wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz
+wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYYYYMMDD_util.tar.xz
+@end example
+
+Extract the downloaded files.
+@example
+tar --extract --file=libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verbose
+tar --extract --file=libreboot_rYYYYMMDD_util.tar.xz --verbose
+@end example
+
+Rename the directories of extracted files.
+
+@example
+mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom"
+mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util"
+@end example
+
+Copy the ROM image to the directory of cbfstool, where "kbdlo" is the
+keyboard layout and "arch" is the system architecture.
+
+@example
+cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arch/libreboot.rom
+@end example
+
+Change directory to the directory of cbfstool.
+@example
+cd libreboot_util/cbfstool/arch/
+@end example
+
+Extract the GRUB configuration file from the image.
+
+@example
+./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg
+@end example
+
+Edit the GRUB configuration file and insert the following code snippet
+above the line @code{“menuentry 'Load Operating System [o]' --hotkey='o'
+--unrestricted @{ [...] @}”}.
+
+@example
+nano grub.cfg
+@end example
+
+Snippet:
+@example
+menuentry ‘Guix System (An advanced distribution of the GNU operating system) [g]’ --hotkey=’g’ --unrestricted
+@{
+cryptomount -u luks-uuid
+set root=(lvm/vgname-lvnameroot)
+configfile /boot/grub/grub.cfg
+@}
+@end example
+
+Remove the old GRUB configuration file from the ROM image.
+
+@example
+./cbfstool libreboot.rom remove -n grub.cfg
+@end example
+
+Insert the new GRUB configuration file into the ROM image.
+
+@example
+./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
+@end example
+
+Move the ROM image to the directory of ich9gen.
+
+@example
+mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom
+@end example
+
+Change directory to the directory of ich9gen.
+
+@example
+cd ~/libreboot_util/ich9deblob/arch/
+@end example
+
+Generate descriptor+GbE images with the MAC address, where "mac-addr"
+is the MAC address of the machine.
+
+@example
+ich9gen --macaddress mac-addr
+@end example
+
+Insert the descriptor+GbE image into the ROM image, where "N" is the
+ROM chip size.
+@example
+dd bs=12k conv=notrunc count=1 if=ich9fdgbe_Nm.bin of=libreboot.rom status=progress
+@end example
+
+Move the ROM image to the directory of flash.
+
+@example
+mv libreboot.rom ~/libreboot_util/libreboot.rom
+@end example
+
+Change directory to the directory of flash.
+
+@example
+cd ~/libreboot_util
+@end example
+
+Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`.
+@example
+nano flash
+@end example
+
+Flash the ROM with the new image.
+@example
+./flash update libreboot.rom
+@end example
+
+(or)
+
+@example
+./flash forceupdate libreboot.rom
+@end example
+
+Reboot the device.
+@example
+reboot
+@end example
+
+@node Closing Thoughts
+@subsection Closing Thoughts
+
+Everything should be stream-lined from now. Upon Libreboot's GRUB
+menu, you can either press "G" or choose "Guix System (An advanced
+distribution of the GNU operating system) [g]".
+
+During the boot process, as prompted, you have to type LUKS key twice;
+once for Libreboot's GRUB and once more for Linux-Libre kernel.
+Retyping a passphrase is a minor annoyance, but it is a secure method of
+opening up your device. There are methods that exist to only type the
+passphrase once, but none are currently integrated into Guix System.
+
+Generally, you will be using Libreboot's initial/default grub.cfg,
+whose Guix menu-entry invokes Guix's grub.cfg located at
+@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's
+@code{grubtest.cfg}, which hasn't been modified.
+
+Now that you have a working Guix System with full disk encryption, you
+may want to remove the @code{iomem=relaxed} from your
+@code{kernel-arguments}. @code{iomem=relaxed} is needed to reflash your
+rom. Since, most users will probably not flash their rom often, those
+users may wish to disable that feature:
+
+@lisp
+ ;; optionally remove this bit of code from your config.scm
+ (kernel-arguments
+ (append
+ (list
+ ;; this is needed to flash the libreboot ROM. After, you
+ ;; have flashed your rom, it is a good idea to remove
+ ;; iomem=relaxed from your kernel arguments
+ "iomem=relaxed")
+ %default-kernel-arguments))
+@end lisp
+
+That is it! You have now setup Guix System with Full Disk Encryption on
+your device powered by Libreboot. Enjoy!
+
+More information about Libreboot can be found at their official
+documentation: @uref{https://libreboot.org/docs/}.
+
+@node Special Thanks
+@subsection Special Thanks
+
+Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org),
+for helping me with the Scheme code for the bootloader configuration.
+
+Thanks to Libreboot founder and developer, Leah Rowe
+(leah@@libreboot.org), for helping me with the understanding of
+Libreboot’s functionalities.
+
@node Customizing a Window Manager
@section Customizing a Window Manager
@cindex wm
--
2.32.0
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Joshua Branson <jbranso@HIDDEN> Subject: bug#49654: Acknowledgement ([PATCH] doc: Add full disc encryption guide to the cookbook) Message-ID: <handler.49654.B.162675861318836.ack <at> debbugs.gnu.org> References: <20210720052229.15438-1-jbranso@HIDDEN> X-Gnu-PR-Message: ack 49654 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 49654 <at> debbugs.gnu.org Date: Tue, 20 Jul 2021 05:24:01 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): guix-patches@HIDDEN If you wish to submit further information on this problem, please send it to 49654 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 49654: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D49654 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
Resent-From: Giovanni Biscuolo <g@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 20 Jul 2021 10:43:02 +0000
Resent-Message-ID: <handler.49654.B49654.162677775217145 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 49654
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Joshua Branson <jbranso@HIDDEN>, 49654 <at> debbugs.gnu.org
Cc: rg@HIDDEN
Received: via spool by 49654-submit <at> debbugs.gnu.org id=B49654.162677775217145
(code B ref 49654); Tue, 20 Jul 2021 10:43:02 +0000
Received: (at 49654) by debbugs.gnu.org; 20 Jul 2021 10:42:32 +0000
Received: from localhost ([127.0.0.1]:32866 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m5nCq-0004ST-4x
for submit <at> debbugs.gnu.org; Tue, 20 Jul 2021 06:42:32 -0400
Received: from ns13.heimat.it ([46.4.214.66]:46388)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <g@HIDDEN>) id 1m5nCo-0004SE-B6
for 49654 <at> debbugs.gnu.org; Tue, 20 Jul 2021 06:42:31 -0400
Received: from localhost (ip6-localhost [127.0.0.1])
by ns13.heimat.it (Postfix) with ESMTP id 5C2323021BA;
Tue, 20 Jul 2021 10:42:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it
Received: from ns13.heimat.it ([127.0.0.1])
by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id c0nQYWcj6Fx5; Tue, 20 Jul 2021 10:41:47 +0000 (UTC)
Received: from bourrache.mug.xelera.it (unknown [93.56.171.5])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by ns13.heimat.it (Postfix) with ESMTPSA id 002A83021B9;
Tue, 20 Jul 2021 10:41:38 +0000 (UTC)
Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14])
by bourrache.mug.xelera.it (Postfix) with SMTP id 7F4EF10FD94A;
Tue, 20 Jul 2021 12:41:38 +0200 (CEST)
Received: (nullmailer pid 30492 invoked by uid 1000);
Tue, 20 Jul 2021 10:41:38 -0000
From: Giovanni Biscuolo <g@HIDDEN>
In-Reply-To: <20210720052229.15438-1-jbranso@HIDDEN>
Organization: Xelera.eu
References: <20210720052229.15438-1-jbranso@HIDDEN>
Date: Tue, 20 Jul 2021 12:41:37 +0200
Message-ID: <87pmvdi7xa.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello Joshua and Raghav,
thank you for your guide! I have just a couple of comments.
Joshua Branson via Guix-patches via <guix-patches@HIDDEN> writes:
> From: Joshua Branson <jbranso AT gnucode.me>
>
> The original guide was written by Raghav Gururajan <rg@HIDDEN=
me>
> and edited by Joshua Branson <jbranso@HIDDEN>.
>
> * doc/guix-cookbook.texi (System Configuration): New section of full disc
> encryption via libreboot.
> ---
> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 724 insertions(+)
[...]
> +* Guix System with Full Disk Encryption:: Guix System with Full Disk =
Encryption
AFAIU the steps, especially the partitioning that does not provide an
UEFI dedicated partition, are specific to Libreboot systems: what about
to make it more clear in the section title?
...or to adapt the section by separating Libreboot specific instructions
from generic system instructions?
[...]
> +Create a physical volume in the partition.
> +
> +@example
> +pvcreate /dev/mapper/partname --verbose
> +@end example
> +
> +Create a volume group in the physical volume, where @code{vgname} is any
> +desired name for volume group.
> +
> +@example
> +vgcreate vgname /dev/mapper/partname --verbose
> +@end example
> +
> +Create logical volumes in the volume group; where "num" is the number
> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
> +desired names for root and home volumes respectively.
> +
> +@example
> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
> +@end example
> +
> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
> +@code{fsnamehome} are any desired names for root and home filesystems
> +respectively.
> +
> +@example
> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
> +@end example
Why using two BTRFS volumes on top of LVM and not directly using BTRFS
(with subvolumes if you want) on top of /dev/mapper/partname?
AFAIU the "double mapping" it's not needed, BTRFS have a very good (and
now mature) built in volume manager. Furthermore, using BTRFS for
volume management will allow users to switch to a multi-device system
(e.g. RAID1) very easily.
I'm still using LVM on some "legacy" systems but for new installations
I'd strogly suggest starting using BTRFS on top of "physical"
partitions.
> +Mount the filesystems under the current system.
> +
> +@example
> +mount --label fsnameroot --target /mnt --types btrfs --verbose
> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
> +/mnt/home --types btrfs --verbose
> +@end example
> +
> +Create a swap file.
> +
> +@example
> +dd bs=3D1MiB count=3D1GiB if=3D/dev/zero of=3D/mnt/swapfile status=3Dpro=
gress
> +mkswap --verbose /mnt/swapfile
> +@end example
I know that since Linux 2.6 swapfile performance is not a big issue if
the file is unfragmented (and it'll be for sure on newly partitioned
filesystems) but AFAIU swap files are still a little bit problematic on
BTRFS
https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3=
F:
=2D-8<---------------cut here---------------start------------->8---
From=20kernel 5.0+ btrfs have native swap files support, but with some
limitations. Swap file - must be fully allocated as NOCOW with no
compression on one device.
=2D-8<---------------cut here---------------end--------------->8---
I've never tested a system with swap file on BTRFS but I think that your
instructions should add how to set NOCOW for the swap file.
The above example could be:
=2D-8<---------------cut here---------------start------------->8---
@example
dd bs=3D1MiB count=3D1GiB if=3D/dev/zero of=3D/mnt/swapfile status=3Dprogre=
ss
mkswap --verbose /mnt/swapfile
chattr +C /mnt/swapfile
btrfs property set /mnt/swapfile compression none
@end example
=2D-8<---------------cut here---------------end--------------->8---
Final note: AFAIU BTRFS supports swap files ONLY in single device
settings (that is: NO swap file support on multi device settings), so
IMHO it's better to use a dedicated partition for the swap space so
users are free to switch to a multi-device setting if they wish (and
can).
The problem with a fully encrypted dedicated swap partition is that
it'll require a third passphrase prompt on boot (the one to unlock the
swap partition), but that's a minor annoyance IMHO.
What do you think?
[...]
Happy hacking! Gio'
=2D-=20
Giovanni Biscuolo
Xelera IT Infrastructures
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmD2qGEMHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSk2kP/1D7pOfC9mchHXvnTDi9mGvi8FdWayUO3LMOqt9L
198CBLezXNTGY/kPQwBHJRDB7u34EsZMGi4IrJVjAf25yXqslLHsiU5OHNgZ2xoV
ngj1hKGKo8Uy84K+/B4uHyx3W5NUatjbfxTnb2JBjbxtWGU4SEqFyAtQ/qyrL6cc
UNWEPQuiajcdDZxChLj0pT6SzD93Lf+PY6kSj7O0bB4BJHymoiDiZs1dyuazRti0
uYMhe9GvjIXEheDcrIkUBvJRgP9OW77ORMjf7UyHSNFelxxMVKOt4gqYvIqi9C/s
QVTPB/SApqcZQEy3mFjhvKx31cQ7dyrm3yv2mi9O7D9n32foiQgEbhJhBVcb4xZa
kcdq3c9Msbkd6V8k9tYDWhyXp0QD4pdHuB3vPFJ1GCXgaqdbkaUgqO3pnW4wW1DE
0qJjZhKDpD7MYO/OWEKPfGuI12F6aGM8GQ0HN5PY1StT6OAyALXUKq256ECo8pgI
XirsMXMDtb5Pcmt/i1Whe19hCZWhJ5eK/NXlgJhGirjDU7HaqTIbW1aOWiBnb3HX
taR3t0c+KLuPk+7h6+TWJQI2Ryzx9WQuWWMM7frZx5q/kOTKZ7aGRZ4xVtnK2moa
j3Bj/i7ayqD78ZUAXva9PomPR41/fipYoVbuw/1zBgKS0Fe0xXgyZ7jnmNOIUtar
syU5
=k+lZ
-----END PGP SIGNATURE-----
--=-=-=--
X-Loop: help-debbugs@HIDDEN
Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
Resent-From: Joshua Branson <jbranso@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 20 Jul 2021 18:17:01 +0000
Resent-Message-ID: <handler.49654.B49654.162680498019537 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 49654
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Giovanni Biscuolo <g@HIDDEN>
Cc: 49654 <at> debbugs.gnu.org, rg@HIDDEN
Received: via spool by 49654-submit <at> debbugs.gnu.org id=B49654.162680498019537
(code B ref 49654); Tue, 20 Jul 2021 18:17:01 +0000
Received: (at 49654) by debbugs.gnu.org; 20 Jul 2021 18:16:20 +0000
Received: from localhost ([127.0.0.1]:35327 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m5uHu-00054x-Iu
for submit <at> debbugs.gnu.org; Tue, 20 Jul 2021 14:16:20 -0400
Received: from mx1.dismail.de ([78.46.223.134]:7522)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <jbranso@HIDDEN>) id 1m5uHr-00054i-Sd
for 49654 <at> debbugs.gnu.org; Tue, 20 Jul 2021 14:16:13 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
by mx1.dismail.de (OpenSMTPD) with ESMTP id e909de71;
Tue, 20 Jul 2021 20:16:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc
:subject:references:date:in-reply-to:message-id:mime-version
:content-type; s=20190914; bh=J4h3qrgjKTQqzNU5HWZx95vrG9Oz0i/qiw
bvF4BJ88M=; b=pyovKIVDn71SfqLGWE12GEkabUwlrfXUJrYBEJ6Q9TS4A5IXyk
T7mv98sfMotu71zDHWvLRed8/5G8WagHlRIyIXYxNv15+aWhUX7+wjMs7U3XrILE
+Zrxnm0GSzsb9fVm7gFMswKxr12dA3SndlSwD/crU+770N8vMY7/f2/lywY87UCW
fJHj3DVSo3Rk40Keyvcqnoehtwr249xaCbC8OHLeslERd8ANFq4V+0zpUyp3r/fT
mOM0ouMYwStumJpc4SV+qQuKkIGr2ERqkHkQCph1M8x5zTLYNMulDTBdybulJaFo
Fy2UmyZA3DYCRMNhxyob4hUNLeIZvdT3vhFA==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
by mx1.dismail.de (OpenSMTPD) with ESMTP id f4f26310;
Tue, 20 Jul 2021 20:16:04 +0200 (CEST)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
by smtp2.dismail.de (OpenSMTPD) with ESMTP id 51309edc;
Tue, 20 Jul 2021 20:16:04 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id e35588bf
(TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
Tue, 20 Jul 2021 20:16:02 +0200 (CEST)
From: Joshua Branson <jbranso@HIDDEN>
References: <20210720052229.15438-1-jbranso@HIDDEN>
<87pmvdi7xa.fsf@HIDDEN>
Date: Tue, 20 Jul 2021 14:15:59 -0400
In-Reply-To: <87pmvdi7xa.fsf@HIDDEN> (Giovanni Biscuolo's message of "Tue,
20 Jul 2021 12:41:37 +0200")
Message-ID: <87eebsvokg.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Giovanni Biscuolo <g@HIDDEN> writes:
> Hello Joshua and Raghav,
>
> thank you for your guide! I have just a couple of comments.
>
> Joshua Branson via Guix-patches via <guix-patches@HIDDEN> writes:
>
>> From: Joshua Branson <jbranso AT gnucode.me>
>>
>> The original guide was written by Raghav Gururajan <rg@HIDDEN>
>> and edited by Joshua Branson <jbranso@HIDDEN>.
>>
>> * doc/guix-cookbook.texi (System Configuration): New section of full disc
>> encryption via libreboot.
>> ---
>> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 724 insertions(+)
>
> [...]
>
>> +* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption
>
> AFAIU the steps, especially the partitioning that does not provide an
> UEFI dedicated partition, are specific to Libreboot systems: what about
> to make it more clear in the section title?
I will mention this somewhere. Thanks. Perhaps we could mention that
libreboot systems are so ancient that they do not support UEFI. I will
also mention that newer coreboot devices do not support a UEFI partition,
but require proprietary blobs to run properly.
>
> ...or to adapt the section by separating Libreboot specific instructions
> from generic system instructions?
as above.
>
> [...]
>
>> +Create a physical volume in the partition.
>> +
>> +@example
>> +pvcreate /dev/mapper/partname --verbose
>> +@end example
>> +
>> +Create a volume group in the physical volume, where @code{vgname} is any
>> +desired name for volume group.
>> +
>> +@example
>> +vgcreate vgname /dev/mapper/partname --verbose
>> +@end example
>> +
>> +Create logical volumes in the volume group; where "num" is the number
>> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
>> +desired names for root and home volumes respectively.
>> +
>> +@example
>> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
>> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
>> +@end example
>> +
>> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
>> +@code{fsnamehome} are any desired names for root and home filesystems
>> +respectively.
>> +
>> +@example
>> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
>> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
>> +@end example
>
> Why using two BTRFS volumes on top of LVM and not directly using BTRFS
> (with subvolumes if you want) on top of /dev/mapper/partname?
This is probably a good idea...however does the grub payload support
this?
>
> AFAIU the "double mapping" it's not needed, BTRFS have a very good (and
> now mature) built in volume manager. Furthermore, using BTRFS for
> volume management will allow users to switch to a multi-device system
> (e.g. RAID1) very easily.
That's pretty cool!
>
> I'm still using LVM on some "legacy" systems but for new installations
> I'd strogly suggest starting using BTRFS on top of "physical"
> partitions.
does btrfs volume manage allow use to use ext4, jfs, or xfs filesystems?
Or does on LVM do that?
>> +Mount the filesystems under the current system.
>> +
>> +@example
>> +mount --label fsnameroot --target /mnt --types btrfs --verbose
>> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
>> +/mnt/home --types btrfs --verbose
>> +@end example
>> +
>> +Create a swap file.
>> +
>> +@example
>> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
>> +mkswap --verbose /mnt/swapfile
>> +@end example
>
> I know that since Linux 2.6 swapfile performance is not a big issue if
> the file is unfragmented (and it'll be for sure on newly partitioned
> filesystems) but AFAIU swap files are still a little bit problematic on
> BTRFS
> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:
Ok...maybe we could use ext4 for the swap file? Is there a better
filesystem? Again does btrfs volume management allow the swap file to
be ext4? Or do we have to use LVM?
> From kernel 5.0+ btrfs have native swap files support, but with some
> limitations. Swap file - must be fully allocated as NOCOW with no
> compression on one device.
>
>
> I've never tested a system with swap file on BTRFS but I think that your
> instructions should add how to set NOCOW for the swap file.
>
> The above example could be:
>
>
> @example
> dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
> mkswap --verbose /mnt/swapfile
> chattr +C /mnt/swapfile
> btrfs property set /mnt/swapfile compression none
> @end example
>
> Final note: AFAIU BTRFS supports swap files ONLY in single device
> settings (that is: NO swap file support on multi device settings), so
> IMHO it's better to use a dedicated partition for the swap space so
> users are free to switch to a multi-device setting if they wish (and
> can).
Ok, I will create a dedicated partition and format it with ext4 and the
swap program...but I will probably need help figuring out how to encrypt
the swap partition...There are guides online that I can look at...
> The problem with a fully encrypted dedicated swap partition is that
> it'll require a third passphrase prompt on boot (the one to unlock the
> swap partition), but that's a minor annoyance IMHO.
Oh no! I hadn't thought about that! grrr! I wonder if bcachefs is
better than btrfs...well I guess it's not merged yet. What about
instead of using a swap file we use zram? Or how about both?
> What do you think?
>
> [...]
>
> Happy hacking! Gio'
--
Joshua Branson (jab in #guix)
Sent from Emacs and Gnus
https://gnucode.me
https://video.hardlimit.com/accounts/joshua_branson/video-channels
https://propernaming.org
"You can have whatever you want, as long as you help
enough other people get what they want." - Zig Ziglar
X-Loop: help-debbugs@HIDDEN
Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
Resent-From: Giovanni Biscuolo <g@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 21 Jul 2021 12:17:02 +0000
Resent-Message-ID: <handler.49654.B49654.162686978614741 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 49654
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Joshua Branson <jbranso@HIDDEN>
Cc: 49654 <at> debbugs.gnu.org, rg@HIDDEN
Received: via spool by 49654-submit <at> debbugs.gnu.org id=B49654.162686978614741
(code B ref 49654); Wed, 21 Jul 2021 12:17:02 +0000
Received: (at 49654) by debbugs.gnu.org; 21 Jul 2021 12:16:26 +0000
Received: from localhost ([127.0.0.1]:36366 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m6B9F-0003pE-V3
for submit <at> debbugs.gnu.org; Wed, 21 Jul 2021 08:16:26 -0400
Received: from ns13.heimat.it ([46.4.214.66]:54290)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <g@HIDDEN>) id 1m6B9D-0003hW-2L
for 49654 <at> debbugs.gnu.org; Wed, 21 Jul 2021 08:16:25 -0400
Received: from localhost (ip6-localhost [127.0.0.1])
by ns13.heimat.it (Postfix) with ESMTP id A70F73021BA;
Wed, 21 Jul 2021 12:16:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it
Received: from ns13.heimat.it ([127.0.0.1])
by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Dx0pJBLKkCYi; Wed, 21 Jul 2021 12:16:14 +0000 (UTC)
Received: from bourrache.mug.xelera.it (unknown [93.56.171.5])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by ns13.heimat.it (Postfix) with ESMTPSA id 89AAD3021B9;
Wed, 21 Jul 2021 12:16:14 +0000 (UTC)
Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14])
by bourrache.mug.xelera.it (Postfix) with SMTP id F0F5C1106341;
Wed, 21 Jul 2021 14:16:13 +0200 (CEST)
Received: (nullmailer pid 3369 invoked by uid 1000);
Wed, 21 Jul 2021 12:16:13 -0000
From: Giovanni Biscuolo <g@HIDDEN>
In-Reply-To: <87eebsvokg.fsf@HIDDEN>
Organization: Xelera.eu
References: <20210720052229.15438-1-jbranso@HIDDEN>
<87pmvdi7xa.fsf@HIDDEN> <87eebsvokg.fsf@HIDDEN>
Date: Wed, 21 Jul 2021 14:16:13 +0200
Message-ID: <87k0ljj20i.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi Joshua
Joshua Branson <jbranso@HIDDEN> writes:
[...]
>> Why using two BTRFS volumes on top of LVM and not directly using BTRFS
>> (with subvolumes if you want) on top of /dev/mapper/partname?
>
> This is probably a good idea...however does the grub payload support
> this?
Do you mean: does grub support booting from encrypted BTRFS? The answer
is yes.
WARNING: I've (still) not tried myself to boot Guix System using an
encrypted BTRFS (sub)volume but I'm pretty confident that Guix is
configuring grub with the needed modules (luks and btrfs)
[...]
>> I'm still using LVM on some "legacy" systems but for new installations
>> I'd strogly suggest starting using BTRFS on top of "physical"
>> partitions.
>
> does btrfs volume manage allow use to use ext4, jfs, or xfs
> filesystems?
No: BTRFS is a volume manager and a filesystem "all in one", you cannot
create a BRTFS subvolume and format it with another filesystem
> Or does on LVM do that?
LVM is "just" a volume manager with no idea about the overlaying
filesystem
[...]
>> I know that since Linux 2.6 swapfile performance is not a big issue if
>> the file is unfragmented (and it'll be for sure on newly partitioned
>> filesystems) but AFAIU swap files are still a little bit problematic on
>> BTRFS
>> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_file=
s.3F:
>
> Ok...maybe we could use ext4 for the swap file? Is there a better
> filesystem? Again does btrfs volume management allow the swap file to
> be ext4?
No, al explained above
> Or do we have to use LVM?
If we use a dedicated partition for swap there is no need to set up an
LVM volume (phisical, VG and then logical): we can just create a
dedicate partition during partitioning, encrypt it with LUKS and
"mkswap" it (e.g. mkswap /dev/mapper/<encrypted_swap>)
[...]
>> Final note: AFAIU BTRFS supports swap files ONLY in single device
>> settings (that is: NO swap file support on multi device settings), so
>> IMHO it's better to use a dedicated partition for the swap space so
>> users are free to switch to a multi-device setting if they wish (and
>> can).
>
> Ok, I will create a dedicated partition and format it with ext4
> and the swap program
There's no need to format (mkfs.ext4) the partition with ext4, just
"mkswap" it :-)
> ...but I will probably need help figuring out how to encrypt
> the swap partition...There are guides online that I can look at...
You have to encrypt it like any other partition, e.g.:
=2D-8<---------------cut here---------------start------------->8---
Encrypt swap the partition. Follow the prompts.
@example
cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
=2D-verify-passphrase --use-random --key-size 512 --iter-time 500 \
luksFormat /dev/<swap_partition>
@end example
Obtain and note down the UUID of the LUKS partition.
@example
cryptsetup --verbose luksUUID /dev/<swap_partition>
@end example
Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
and @code{crypt_swap01} is any desired name for the decrypted swap
partition.
@example
cryptsetup --verbose luksOpen UUID=3Dluks-uuid crypt_swap01
@end example
Format the encrypted swap
@example
mkswap /dev/mapper/crypt_swap01
@end example
=2D-8<---------------cut here---------------end--------------->8---
Then, in our (operating-system) declaration, we have to use something
like this:
=2D-8<---------------cut here---------------start------------->8---
(mapped-devices
(list
(mapped-device
(source (uuid "LUKS-UUID"))
(target "partname")
(type luks-device-mapping))
;; This is our new encrypted swap partition
(mapped-device
(source
(uuid "SWAP-LUKS-UUID"))
(target "crypt_swap01")
(type luks-device-mapping))
(mapped-device
(source "vgname")
(targets
(list
"vgname-lvnameroot"
"vgname-lvnamehome"))
(type lvm-device-mapping))))
(swap-devices
(list
"/dev/mapper/crypt_swap01"))
=2D-8<---------------cut here---------------end--------------->8---
WARNING: please consider I've not tested this code.
>> The problem with a fully encrypted dedicated swap partition is that
>> it'll require a third passphrase prompt on boot (the one to unlock the
>> swap partition), but that's a minor annoyance IMHO.
>
> Oh no! I hadn't thought about that! grrr!
Actually what I said it's NOT true... or better: we could avoid the
(third) password prompt for the swap partition if we _add_ a keyfile to
the LUKS encrypted swap partition _and_ we have a mechanism to
"luksOpen" that mapped volume using that keyfile.
I'm not aware of such a mechanism on Guix Systems, in Debian (et al)
this is done with /etc/crypttab, AFAIU the luks-device-mapping lacks the
option to specify a keyfile.
So, as far as this cookbook section is concerned, unfortunately when
using a dedicated encrypted swap partition an additional passphrase
prompt will be presented to the user at each boot.
> I wonder if bcachefs is better than btrfs...well I guess it's not
> merged yet.
No, still not. AFAIU also still not available in Guix.
> What about instead of using a swap file we use zram?
Never used zram and I don't know if it's supported (I mean configured by
(operating-system)) on Guix System
[...]
Sorry I've more issues than answers on this topics, nevertheless I hope
it somway helps.
Thanks! Gio'
=2D-=20
Giovanni Biscuolo
Xelera IT Infrastructures
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmD4EA0MHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSzPUP+wVK9T3xSz/RtCMQ3FT6v3ARMaBPZON/q+nib2KY
t+sD9xptJcP9ohGGJLwqRpRnrmdOpIUc7Kqr0EBoAAwFz8YLyN7+rKXiN2wByFiT
Yc05VA0iiFU+yeNN2GUw57PVSk/4evEKAlEe5gKbjfncV6Q59xR1JzXNlvhuRMET
XsM+LEhPlYqrqPO/2meG2fl822qNIypDP8ADWQE6ev3XoRiyctHWopUWeB9itlng
jc/MBjwFoJ4dtjEIx/Nqv6oQ+mfqcBFNCmjl+B8VUuoqsKVvxYBr3sqVp8haqhS5
NSWqRIwaoL/StfdUZerLSbfLOx+pRhzYVD3UjHeQ2bPibUv8n+GnhwIlQpneB+VN
kbILcgqBt0UgXCbQhcz5lsMPaY1dKZjoR5oXgDXnXkONEF4ac2dpQ3GFaMbYsEsy
AAdZGpwaWQGWRpD5u2wirxz/f8bEqrK+uXOAmlvs8tRgBCb4ilMyowApvnWmnNIa
GVVZi16FLUKix0AYS3uAlucOgyJQWDqBtKZkdSTBlpt7DNN+ANAv84wM0lxPu7Nz
Ov2VDUb2ra/J/vlDVyK+bNzp2o8R4Ai60LROynzbSUHvEfgvgIIPUrZwJjyVAy3g
ZHlg9D7+z1BuXlaz8LY62pWShkydi4o0MaMAG/nM8a0XOPjH/Zz9++7/X+APLc8w
cIio
=1UvG
-----END PGP SIGNATURE-----
--=-=-=--
X-Loop: help-debbugs@HIDDEN
Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
Resent-From: Sarah Morgensen <iskarian@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 21 Jul 2021 22:51:01 +0000
Resent-Message-ID: <handler.49654.B49654.162690785312773 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 49654
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Joshua Branson <jbranso@HIDDEN>
Cc: 49654 <at> debbugs.gnu.org, rg@HIDDEN
Received: via spool by 49654-submit <at> debbugs.gnu.org id=B49654.162690785312773
(code B ref 49654); Wed, 21 Jul 2021 22:51:01 +0000
Received: (at 49654) by debbugs.gnu.org; 21 Jul 2021 22:50:53 +0000
Received: from localhost ([127.0.0.1]:38940 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m6L38-0003Jl-6a
for submit <at> debbugs.gnu.org; Wed, 21 Jul 2021 18:50:53 -0400
Received: from out1.migadu.com ([91.121.223.63]:33020)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <iskarian@HIDDEN>) id 1m6L34-0003JZ-3L
for 49654 <at> debbugs.gnu.org; Wed, 21 Jul 2021 18:50:44 -0400
X-Report-Abuse: Please report any abuse attempt to abuse@HIDDEN and
include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mgsn.dev; s=key1;
t=1626907840;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=+RIUt6vvVIvG012FhCwQqkdqLCo51wrvZniSYGWunWI=;
b=QUZ/rvFPZGFk2ltjJOIRUbuLV5Zk9zCxEL/Cm0JYSYdiOsgl6vXJhEBiD4W3eI6SlEM6Fu
/YCalaDuOiQpil5bXH1EjtEJsKKz7Y6GF8jUObSZMvaf+Fg5EoNr4iEl2WHWcVF/K0/FM5
Ek3gRy824pLppsY/eaG8CL36IRwmJwo=
From: Sarah Morgensen <iskarian@HIDDEN>
References: <20210720052229.15438-1-jbranso@HIDDEN>
Date: Wed, 21 Jul 2021 15:50:35 -0700
In-Reply-To: <20210720052229.15438-1-jbranso@HIDDEN> (Joshua Branson's
message of "Tue, 20 Jul 2021 01:22:24 -0400")
Message-ID: <86tukns2mc.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Migadu-Flow: FLOW_OUT
X-Migadu-Auth-User: iskarian@HIDDEN
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hello Joshua, Raghav,
Good to see more guides like this. In addition to what others have
already pointed out, I've got few readability suggestions, reading this as a
layperson :) (Questions are intentended to be rhetorical, to illustrate
where a layperson might have questions or be confused.)
Joshua Branson <jbranso@HIDDEN> writes:
> From: Joshua Branson <jbranso AT gnucode.me>
>
> The original guide was written by Raghav Gururajan <rg@HIDDEN=
me>
> and edited by Joshua Branson <jbranso@HIDDEN>.
>
> * doc/guix-cookbook.texi (System Configuration): New section of full disc
> encryption via libreboot.
> ---
> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 724 insertions(+)
>
> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
> index 2e627ecc51..ef8f3425d6 100644
> --- a/doc/guix-cookbook.texi
> +++ b/doc/guix-cookbook.texi
> @@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
> Copyright @copyright{} 2020 Andr=C3=A9 Batista@*
> Copyright @copyright{} 2020 Christopher Lemmer Webber
> Copyright @copyright{} 2021 Joshua Branson@*
> +Copyright @copyright{} 2021 Raghav Gururajan@*
>=20=20
> Permission is granted to copy, distribute and/or modify this document
> under the terms of the GNU Free Documentation License, Version 1.3 or
> @@ -1358,6 +1359,7 @@ reference.
> * Customizing the Kernel:: Creating and using a custom Linux kerne=
l on Guix System.
> * Guix System Image API:: Customizing images to target specific p=
latforms.
> * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
> +* Guix System with Full Disk Encryption:: Guix System with Full Disk =
Encryption
> * Customizing a Window Manager:: Handle customization of a Window manage=
r on Guix System.
> * Running Guix on a Linode Server:: Running Guix on a Linode Server
> * Setting up a bind mount:: Setting up a bind mount in the file-systems =
definition.
> @@ -1938,6 +1940,728 @@ For more specific information about NetworkManage=
r and wireguard
> @uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkman=
ager/,see
> this post by thaller}.
>=20=20
> +@node Guix System with Full Disk Encryption
> +@section Guix System with Full Disk Encryption
> +@cindex libreboot, full disk encryption
> +
> +Guix System is an exotic distribution of GNU/Linux operating system,
^ the
> +with Guix as package/system manager, Linux-Libre as kernel and
> +Shepherd as init system.
> +
> +Libreboot is a de-blobbed distribution of Coreboot firmware. By
> +default, Libreboot comes with GRUB bootloader as a payload.
> +
> +The objective of this manual is to provide step-by-step guide for
^ a
> +setting up Guix System (stand-alone Guix), with Full Disk
^ You already defined Guix System above
> +Encryption (FDE), on devices powered by Libreboot.
> +
> +Any users, for their generalized use cases, need not stumble away from
> +this guide to accomplish the setup. Advanced users, for deviant use
> +cases, will have to explore outside this guide for customization;
> +although this guide provides information that is of paramount use.
Above paragraph does not add useful information and the tone does not
match the rest of the Cookbook. (Sorry!)
> +
> +Let us begin!
> +
> +@menu
> +* Create Boot-able USB::
^ Bootable
> +* Installing and Setup::
> +* Tweaking Libreboot's Grub Payload::
> +* Closing Thoughts::
> +* Special Thanks::
> +@end menu
> +
> +@node Create Boot-able USB
> +@subsection Create Boot-able USB
Likewise.
> +
> +In the current GNU+Linux system, open terminal as root user.
"open a terminal as root" or "open a terminal as the root user"
> +
> +Insert USB drive and get the device letter @code{/dev/sdX}, where =E2=80=
=9CX=E2=80=9D is the
> +device letter.
What USB drive? This is the first I've heard of it! Do I need to make
sure it's a specific kind? Is it okay if there's important information
on there that I haven't backed up?
Also note that while usually the device identifier will be 'sdX' this is
not guaranteed; sometimes you'll see 'hdX' or 'mmcblkX'.
> +
> +@example
> +lsblk --list
> +@end example
> +
> +@example
> +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
> +sda 8:0 0 223.6G 0 disk
> +sda1 8:1 0 2M 0 part
> +sda2 8:2 0 3.7G 0 part
> +sda3 8:3 0 219.9G 0 part /
> +zram0 251:0 0 512M 0 disk [SWAP]
> +@end example
Why are these separate examples? IMO it would be more clear (and is the
usual style in such guides) to combine them and simply add '$ ' to the
beginning of any line that is a command the user should run.
> +
> +
> +Just in case the device is auto-mounted, unmount the device.
> +
> +@example
> +umount /dev/sdX --verbose
> +@end example
> +
> +Download the Guix System ISO installer package and it=E2=80=99s GPG sign=
ature;
^ its
> +where @code{A.B.C} is the version number and @code{SSS} is the system
> +architecture.
> +
> +@example
> +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SS=
S-linux.iso.xz
> +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SS=
S-linux.iso.xz.sig
> +@end example
> +
> +Import the Guix's public key.
^ "the Guix" or "Guix's"
> +
> +@example
> +gpg --verbose --keyserver pool.sks-keyservers.net =E2=80=93-receive-keys=
3CE464558A84FDC69DB40CFB090B11993D9AEBB5
> +@end example
> +
> +Verify the GPG signature of the downloaded package.
> +
> +@example
> +gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig
> +@end example
> +
> +Extract ISO image from the downloaded package.
> +
> +@example
> +xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz
> +@end example
> +
> +Write the extracted ISO image to the drive.
> +
> +@example
> +dd if=3Dguix-system-install-A.B.C.SSS-linux.iso of=3D/dev/sdX status=3Dp=
rogress; sync
> +@end example
> +
> +Reboot the device.
> +
> +@example
> +reboot
> +@end example
> +
> +@node Installing and Setup
> +@subsection Installing and Setup
> +
> +On reboot, as soon as the Libreboot's graphic art appears, press "S"
^ "the" is not necessary
> +or choose @code{Search for GRUB2 configuration on external media [s]}. W=
ait
> +for the Guix System from USB drive to load.
This sounds awkward. Perhaps "Wait for Guix System to load from the USB
drive." or "Wait for the Guix System [you just] installed on the USB
drive to load."?
> +
> +Once Guix System installer starts, choose @code{Install using the shell
> +based process}.
> +
> +Set your keyboard layout, where @code{lo} is the two-letter keyboard
> +layout code (lower-case).
How do I know out what my keyboard layout code should be? Even
"layout code (lower-case), for example @code{us} or @code{ru}."
would be helpful.
> +
> +@example
> +loadkeys --verbose lo
> +@end example
> +
> +Unblock network interfaces.
> +
> +@example
> +rfkill unblock all
> +@end example
> +
> +Get the names of network interfaces.
> +
> +@example
> +ifconfig -v -a
> +@end example
> +
> +@example
> +enp0s25 Link encap:Ethernet HWaddr 00:1C:25:9A:37:BA
> + UP BROADCAST MULTICAST MTU:1500 Metric:1
> + RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> + collisions:0 txqueuelen:1000
> + RX bytes:0 TX bytes:0
> + Interrupt:16 Memory:98800000-98820000
> +
> +lo Link encap:Local Loopback
> + inet addr:127.0.0.1 Bcast:0.0.0.0 Mask:255.0.0.0
> + UP LOOPBACK RUNNING MTU:65536 Metric:1
> + RX packets:265 errors:0 dropped:0 overruns:0 frame:0
> + TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
> + collisions:0 txqueuelen:1000
> + RX bytes:164568 TX bytes:164568
> +
> +wlp2s0 Link encap:Ethernet HWaddr E4:CE:8F:59:D6:BF
> + inet addr:192.168.1.133 Bcast:192.168.1.255 Mask:255.255.255=
.0
> + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> + RX packets:60084 errors:0 dropped:71 overruns:0 frame:0
> + TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0
> + collisions:0 txqueuelen:1000
> + RX bytes:45965805 TX bytes:4905457
> +
> +@end example
> +
> +Bring the desired network interface (wired or wireless) up, where
> +@code{nwif} is the network interface name.
How do I know which of the interfaces I should use?
> +
> +@example
> +ifconfig -v nwif up
> +@end example
> +
> +For wireless connection, follow the wireless setup.
^ connections
> +
> +@menu
> +* Wireless Setup::
> +@end menu
> +
> +@node Wireless Setup
> +@subsubsection Wireless Setup
> +
> +Create a configuration file using text editor, where @code{fname} is any
> +desired name for file.
This reads a bit awkwardly. Perhaps something like
"Create the configuration file using a text editor such as
@code{nano}. In this example, we are naming the file
@code{fname.conf}, but any name will do."
Also consider using a more descriptive example filename, like
`wpa_supplicant.conf`. You'd be surprised how many users just use the
example names!
> +
> +@example
> +nano fname.conf
> +@end example
> +
> +Choose, type and save ONE of the following snippets, where =E2=80=98net=
=E2=80=99 is
> +the network name, =E2=80=98pass=E2=80=99 is the password or passphrase a=
nd =E2=80=98uid=E2=80=99 is
> +the user identity.
> +
> +For most private networks:
> +
> +@example
> +network=3D@{
> + ssid=3D"net"
> + key_mgmt=3DWPA-PSK
> + psk=3D"pass"
> +@}
> +@end example
> +
> +(or)
> +
> +For most public networks:
> +
> +@example
> +network=3D@{
> + ssid=3D"net"
> + key_mgmt=3DNONE
> +@}
> +@end example
> +
> +(or)
> +
> +For most organizational networks:
> +
> +@example
> +network=3D@{
> + ssid=3D"net"
> + scan_ssid=3D1
> + key_mgmt=3DWPA-EAP
> + identity=3D"uid"
> + password=3D"pass"
> + eap=3DPEAP
> + phase1=3D"peaplabel=3D0"
> + phase2=3D"auth=3DMSCHAPV2"
> +@}
> +@end example
> +
> +Connect to the configured network.
> +
> +@example
> +wpa_supplicant -B -c fname.conf -i nwif
> +@end example
> +
> +Assign an IP address to the network interface.
This is a bit misleading, as we aren't actually directly assigning an IP
address, but using dhclient to get one through DHCP.
> +
> +@example
> +dhclient -v nwif
> +@end example
Should there be something indicating the end of "Wireless Setup"? I'm
not sure how texi subsections work, but if I were skipping "Wireless
Setup," how would I know where to skip to?
> +
> +Obtain the device letter @code{/dev/sdX} in which you would like to depl=
oy
> +and install Guix System, where =E2=80=9CX=E2=80=9D is the device letter.
This reads a bit awkwardly. Perhaps consider
"Find the [device] identifier for the device you are installing Guix
System onto."
> +
> +@example
> +lsblk --list
> +@end example
> +
> +@example
> +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
> +sda 8:0 0 223.6G 0 disk
> +sda1 8:1 0 2M 0 part
> +sda2 8:2 0 3.7G 0 part
> +sda3 8:3 0 219.9G 0 part /
> +zram0 251:0 0 512M 0 disk [SWAP]
> +@end example
> +
> +Wipe the device (Ignore if the device is new).
^ lowercase; or "skip"
Also, why did the example for the USB drive show all 'sda' devices, and
this one does too? This is potentially confusing. Consider using
examples from the actual process.
> +
> +@example
> +shred --verbose --random-source=3D/dev/urandom /dev/sdX
> +@end example
> +
> +Load the device-mapper module in the current kernel.
Why? Consider adding "(This is necessary for...)"
> +
> +@example
> +modprobe --verbose dm_mod
> +@end example
> +
> +Partition the device. Follow the prompts. Just do, GPT --> New -->
> +Write --> Quit; defaults will be set.
Consider writing out the steps.
Also: are we just using one partition? Prefer describing what the goal
of a step is before describing the step, so a less knowledgeable user
learns and a more knowledgeable user knows when that step can be
substituted.
> +
> +@example
> +cfdisk /dev/sdX
> +@end example
> +
> +Obtain the partition number from the device, where =E2=80=9CY=E2=80=9D i=
s the
> +partition number.
Doesn't cfdisk show the partition number?
> +
> +@example
> +lsblk --list
> +@end example
> +
> +Encrypt the partition. Follow the prompts.
> +
> +@example
> +cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
> +--verify-passphrase --use-random --key-size 512 --iter-time 500 \
> +luksFormat /dev/sdXY
> +@end example
> +
> +Obtain and note down the UUID of the LUKS partition.
> +
> +@example
> +cryptsetup --verbose luksUUID /dev/sdXY
> +@end example
> +
> +Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
> +and @code{partname} is any desired name for the partition.
Consider suggesting (or using in your example) a default partition name,
like with the .conf file above. Same for all the vg, lv, and fs names
below.
> +
> +@example
> +cryptsetup --verbose
> +luksOpen UUID=3Dluks-uuid partname
> +@end example
Is this supposed to be two lines?
> +
> +Create a physical volume in the partition.
> +
> +@example
> +pvcreate /dev/mapper/partname --verbose
> +@end example
> +
> +Create a volume group in the physical volume, where @code{vgname} is any
> +desired name for volume group.
> +
> +@example
> +vgcreate vgname /dev/mapper/partname --verbose
> +@end example
> +
> +Create logical volumes in the volume group; where "num" is the number
> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
> +desired names for root and home volumes respectively.
There is not "num" or any GB values in your following example...
> +
> +@example
> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
> +@end example
> +
> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
^ logical volumes
> +@code{fsnamehome} are any desired names for root and home filesystems
> +respectively.
> +
> +@example
> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
> +@end example
Why are we using btrfs? Could I use ext4 instead?
> +
> +Mount the filesystems under the current system.
Consider "Mount the new filesystems."
> +
> +@example
> +mount --label fsnameroot --target /mnt --types btrfs --verbose
> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
> +/mnt/home --types btrfs --verbose
> +@end example
> +
> +Create a swap file.
> +
> +@example
> +dd bs=3D1MiB count=3D1GiB if=3D/dev/zero of=3D/mnt/swapfile status=3Dpro=
gress
> +mkswap --verbose /mnt/swapfile
> +@end example
> +
> +Make the swap file readable and writable only by root account.
"root." or "the root account."
> +
> +@example
> +chmod --verbose 600 /mnt/swapfile
> +@end example
> +
> +Activate the swap file.
> +
> +@example
> +swapon --verbose /mnt/swapfile
> +@end example
> +
> +Install packages on the mounted root filesystem.
> +
> +@example
> +herd start cow-store /mnt
> +@end example
This doesn't actually install packages, does it? The manual says:
"This makes /gnu/store copy-on-write, such that packages added to it
during the installation phase are written to the target disk rather
than kept in memory."
> +
> +Create the system-wide configuration files directory.
> +
> +@example
> +mkdir --verbose /mnt/etc
> +@end example
Why all the verbose, even on mkdir?
> +
> +Create, edit and save the system configuration file by typing the
> +following code snippet. WATCH-OUT for variables in the code snippet
> +and replace them with the relevant values.
"Replace placeholders (such as LUKS-UUID) with their values from earlier."
> +
> +@example
> +nano /mnt/etc/config.scm
> +@end example
> +
> +The content of config.scm is:
> +
> +@lisp
> +(use-modules
> + (gnu)
> + (gnu system nss))
> +
> +(use-package-modules
> + certs
> + gnome
> + linux)
> +
> +(use-service-modules
> + desktop
> + xorg)
> +
> +(operating-system
> + (kernel linux-libre-lts)
> + (kernel-arguments
> + (append
> + (list
> + ;; this is needed to flash the libreboot ROM. After, you
> + ;; have flashed your rom, it is a good idea to remove
> + ;; iomem=3Drelaxed from your kernel arguments
> + "iomem=3Drelaxed")
> + %default-kernel-arguments))
> +
> + (timezone "Zone/SubZone")
> + (locale "ab_XY.1234")
> + (name-service-switch %mdns-host-lookup-nss)
> +
> + (bootloader
> + (bootloader-configuration
> + (bootloader
> + (bootloader
> + (inherit grub-bootloader)
> + (installer #~(const #t))))
> + (keyboard-layout keyboard-layout)))
> +
> + (keyboard-layout
> + (keyboard-layout
> + "xy"
> + "altgr-intl"))
> +
> + (host-name "hostname")
> +
> + (mapped-devices
> + (list
> + (mapped-device
> + (source
> + (uuid "LUKS-UUID"))
> + (target "partname")
> + (type luks-device-mapping))
> + (mapped-device
> + (source "vgname")
> + (targets
> + (list
> + "vgname-lvnameroot"
> + "vgname-lvnamehome"))
> + (type lvm-device-mapping))))
> +
> + (file-systems
> + (append
> + (list
> + (file-system
> + (type "btrfs")
> + (mount-point "/")
> + (device "/dev/mapper/VGNAME-LVNAMEROOT")
> + (flags '(no-atime))
> + (options "space_cache=3Dv2")
> + (needed-for-boot? #t)
> + (dependencies mapped-devices))
> + (file-system
> + (type "btrfs")
> + (mount-point "/home")
> + (device "/dev/mapper/VGNAME-LVNAMEHOME")
> + (flags '(no-atime))
> + (options "space_cache=3Dv2")
> + (dependencies mapped-devices)))
> + %base-file-systems))
> +
> + (swap-devices
> + (list
> + "/swapfile"))
> +
> + (users
> + (append
> + (list
> + (user-account
> + (name "USERNAME")
> + (comment "Full Name")
> + (group "users")
> + (supplementary-groups '("audio" "cdrom"
> + "kvm" "lp" "netdev"
> + "tape" "video"
> + "wheel"))))
> + %base-user-accounts))
> +
> + (packages
> + (append
> + (list
> + nss-certs)
> + %base-packages))
> +
> + (services
> + (append
> + (list
> + (service gnome-desktop-service-type))
> + %desktop-services)))
> +@end lisp
> +
> +Initialize new Guix System.
> +
> +@example
> +guix system init /mnt/etc/config.scm /mnt
> +@end example
> +
> +Reboot the device.
> +
> +@example
> +reboot
> +@end example
> +
> +@node Tweaking Libreboot's Grub Payload
> +@subsection Tweaking Libreboot's Grub Payload
> +@cindex grub payload
> +
> +On reboot, as soon as the Libreboot graphic art appears, press =E2=80=9C=
C=E2=80=9D to
> +enter the command-line.
> +
> +Enter the following commands and respond to first command with the LUKS
> +Key.
What key? When did we get a LUKS Key? Am I supposed to come up with a
new key/passphrase?
> +
> +@example
> +cryptomount -u luks-uuid
> +set root=3D(lvm/vgname-lvnameroot)
> +@end example
> +
> +Upon Guix's GRUB menu, go with the default option.
"At the GRUB menu, selec the default option."
> +
> +Enter the LUKS Key again, for kernel, as prompted.
> +
> +Upon login screen, login as "root" with password field empty.
"At the login screen" ^ the
> +
> +Open terminal.
^ the
> +
> +Set passkey for the "root" user. Follow the prompts.
^ the password
> +
> +@example
> +passwd root
> +@end example
> +
> +Set passkey for the "username" user. Follow the prompts.
^ the password
Also, the guide used the @code{username} style before. Why the change?
> +
> +@example
> +passwd username
> +@end example
> +
> +Install flashrom and wget.
> +
> +@example
> +guix package =E2=80=93-install flashrom wget
> +@end example
> +
> +Obtain the ROM chip's model and size. Look for the output line =E2=80=9C=
Found
> +[@dots{}] flash chip [@dots{}]=E2=80=9D.
> +
> +@example
> +flashrom --verbose --programmer internal
> +@end example
> +
> +Download Libreboot ROM and utilities, where "YYYYMMDD" is the release
> +date, @code{devmod} is the device model and "N" is the ROM chip size.
Likewise. The guide also used single quotes for 'sdX' earlier.
> +
> +@example
> +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libr=
eboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz
> +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYY=
YYMMDD_util.tar.xz
> +@end example
> +
> +Extract the downloaded files.
> +@example
> +tar --extract --file=3Dlibreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verb=
ose
> +tar --extract --file=3Dlibreboot_rYYYYMMDD_util.tar.xz --verbose
> +@end example
> +
> +Rename the directories of extracted files.
> +
> +@example
> +mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom"
> +mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util"
> +@end example
> +
> +Copy the ROM image to the directory of cbfstool, where "kbdlo" is the
> +keyboard layout and "arch" is the system architecture.
Likewise.
> +
> +@example
> +cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arc=
h/libreboot.rom
> +@end example
> +
> +Change directory to the directory of cbfstool.
> +@example
> +cd libreboot_util/cbfstool/arch/
> +@end example
> +
> +Extract the GRUB configuration file from the image.
> +
> +@example
> +./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg
> +@end example
> +
> +Edit the GRUB configuration file and insert the following code snippet
> +above the line @code{=E2=80=9Cmenuentry 'Load Operating System [o]' --ho=
tkey=3D'o'
> +--unrestricted @{ [...] @}=E2=80=9D}.
> +
> +@example
> +nano grub.cfg
> +@end example
> +
> +Snippet:
> +@example
> +menuentry =E2=80=98Guix System (An advanced distribution of the GNU oper=
ating system) [g]=E2=80=99 --hotkey=3D=E2=80=99g=E2=80=99 --unrestricted
> +@{
> +cryptomount -u luks-uuid
> +set root=3D(lvm/vgname-lvnameroot)
> +configfile /boot/grub/grub.cfg
> +@}
> +@end example
> +
> +Remove the old GRUB configuration file from the ROM image.
> +
> +@example
> +./cbfstool libreboot.rom remove -n grub.cfg
> +@end example
> +
> +Insert the new GRUB configuration file into the ROM image.
> +
> +@example
> +./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
> +@end example
> +
> +Move the ROM image to the directory of ich9gen.
> +
> +@example
> +mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom
> +@end example
> +
> +Change directory to the directory of ich9gen.
> +
> +@example
> +cd ~/libreboot_util/ich9deblob/arch/
> +@end example
> +
> +Generate descriptor+GbE images with the MAC address, where "mac-addr"
> +is the MAC address of the machine.
Likewise.
> +
> +@example
> +ich9gen --macaddress mac-addr
> +@end example
> +
> +Insert the descriptor+GbE image into the ROM image, where "N" is the
> +ROM chip size.
> +@example
> +dd bs=3D12k conv=3Dnotrunc count=3D1 if=3Dich9fdgbe_Nm.bin of=3Dlibreboo=
t.rom status=3Dprogress
> +@end example
> +
> +Move the ROM image to the directory of flash.
^ "the flash script"
> +
> +@example
> +mv libreboot.rom ~/libreboot_util/libreboot.rom
> +@end example
> +
> +Change directory to the directory of flash.
> +
> +@example
> +cd ~/libreboot_util
> +@end example
> +
> +Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`.
^ the ^ no ","
> +@example
> +nano flash
> +@end example
> +
> +Flash the ROM with the new image.
> +@example
> +./flash update libreboot.rom
> +@end example
> +
> +(or)
> +
> +@example
> +./flash forceupdate libreboot.rom
> +@end example
How do I know whether to use 'update' or 'forceupdate'?
> +
> +Reboot the device.
> +@example
> +reboot
> +@end example
> +
> +@node Closing Thoughts
> +@subsection Closing Thoughts
Typically it's "Closing Remarks".
> +
> +Everything should be stream-lined from now. Upon Libreboot's GRUB
What does this mean?
> +menu, you can either press "G" or choose "Guix System (An advanced
> +distribution of the GNU operating system) [g]".
In order to do what?
> +
> +During the boot process, as prompted, you have to type LUKS key twice;
> +once for Libreboot's GRUB and once more for Linux-Libre kernel.
> +Retyping a passphrase is a minor annoyance, but it is a secure method of
> +opening up your device. There are methods that exist to only type the
> +passphrase once, but none are currently integrated into Guix System.
> +
> +Generally, you will be using Libreboot's initial/default grub.cfg,
Is this the grub.cfg we setup above? If so, specify that.
> +whose Guix menu-entry invokes Guix's grub.cfg located at
> +@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's
^ troubleshooting
> +@code{grubtest.cfg}, which hasn't been modified.
But *how* would I use grubtest.cfg?
> +
> +Now that you have a working Guix System with full disk encryption, you
> +may want to remove the @code{iomem=3Drelaxed} from your
> +@code{kernel-arguments}. @code{iomem=3Drelaxed} is needed to reflash yo=
ur
> +rom. Since, most users will probably not flash their rom often, those
^ ROM ^ no "," ^ ROM
> +users may wish to disable that feature:
The change from "you" to "most users"/"those users" is a little jarring.
> +
> +@lisp
> + ;; optionally remove this bit of code from your config.scm
> + (kernel-arguments
> + (append
> + (list
> + ;; this is needed to flash the libreboot ROM. After, you
> + ;; have flashed your rom, it is a good idea to remove
> + ;; iomem=3Drelaxed from your kernel arguments
> + "iomem=3Drelaxed")
> + %default-kernel-arguments))
> +@end lisp
> +
> +That is it! You have now setup Guix System with Full Disk Encryption on
> +your device powered by Libreboot. Enjoy!
> +
> +More information about Libreboot can be found at their official
> +documentation: @uref{https://libreboot.org/docs/}.
Consider embedding the link:
"[...] can be found in the @uref{https://libreboot.org/docs/, official
documentation}."
=20=20
> +
> +@node Special Thanks
> +@subsection Special Thanks
> +
> +Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org),
^ no "," ^ same
> +for helping me with the Scheme code for the bootloader configuration.
^ "for assisting with" (avoid first person prounouns)
> +
> +Thanks to Libreboot founder and developer, Leah Rowe
^ no ","
> +(leah@@libreboot.org), for helping me with the understanding of
^ no "," ^ "for assistance with Libreboot."
> +Libreboot=E2=80=99s functionalities.
> +
> @node Customizing a Window Manager
> @section Customizing a Window Manager
> @cindex wm
Also, consider referencing relevant sections of the manual, such as
https://guix.gnu.org/manual/en/html_node/Manual-Installation.html
so users know where to find more detailed information.
Hope that helps,
Sarah
X-Loop: help-debbugs@HIDDEN
Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
Resent-From: jbranso@HIDDEN
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 22 Jul 2021 19:17:01 +0000
Resent-Message-ID: <handler.49654.B49654.162698141827203 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 49654
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: "Sarah Morgensen" <iskarian@HIDDEN>
Cc: 49654 <at> debbugs.gnu.org, rg@HIDDEN
Received: via spool by 49654-submit <at> debbugs.gnu.org id=B49654.162698141827203
(code B ref 49654); Thu, 22 Jul 2021 19:17:01 +0000
Received: (at 49654) by debbugs.gnu.org; 22 Jul 2021 19:16:58 +0000
Received: from localhost ([127.0.0.1]:41647 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m6eBm-00074T-28
for submit <at> debbugs.gnu.org; Thu, 22 Jul 2021 15:16:58 -0400
Received: from mx1.dismail.de ([78.46.223.134]:10733)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <jbranso@HIDDEN>) id 1m6eBh-0006vR-3O
for 49654 <at> debbugs.gnu.org; Thu, 22 Jul 2021 15:16:56 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
by mx1.dismail.de (OpenSMTPD) with ESMTP id 9c27a7e6;
Thu, 22 Jul 2021 21:16:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=
mime-version:date:content-type:content-transfer-encoding:from
:message-id:subject:to:cc:in-reply-to:references; s=20190914;
bh=OGMWAc9kFMzUzgYAyNOdZfZw1thdjSixIR4QP1J9fNk=; b=mC7GrRwn1nXz
fffNlojeB5RhhUxVx5pQhzcMyhl4B2701KV6HT60CxoRNj9yt8N2bcz35Gd24x47
4DdDD4v1NspJ15A8Zc8XEepDrtZsKf6QFr7yPIYW6mB9MOVhmqaCtdcVxsR7v551
DVEkcZWEvdHb0ay/Muhn4+C6yKQ+Rl/E51cBE8Lul5zxOmVBr/oKWEd51BTgbjyd
iFAyG4B169ZFhnf4hMcw4+9kzM5A4VoGeNlemRUA521JW++hf6qQr5J0Z8rhECar
eSmWgLDbP9ccfNGxj4520AWieXLkGzYxqU1iffswKOK/a80L4gQ4Mq0k23Gf2LDp
BpjhtvDAAA==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
by mx1.dismail.de (OpenSMTPD) with ESMTP id 622959ff;
Thu, 22 Jul 2021 21:16:45 +0200 (CEST)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
by smtp2.dismail.de (OpenSMTPD) with ESMTP id d51b8060;
Thu, 22 Jul 2021 21:16:45 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id baede6cc
(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO);
Thu, 22 Jul 2021 21:16:44 +0200 (CEST)
MIME-Version: 1.0
Date: Thu, 22 Jul 2021 19:16:44 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: RainLoop/1.14.0a
From: jbranso@HIDDEN
Message-ID: <2a373bf54c17a11a37ab8f2ca86ef07f@HIDDEN>
In-Reply-To: <86tukns2mc.fsf@HIDDEN>
References: <86tukns2mc.fsf@HIDDEN>
<20210720052229.15438-1-jbranso@HIDDEN>
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)
July 21, 2021 6:50 PM, "Sarah Morgensen" <iskarian@HIDDEN> wrote:=0A=0A=
> Hello Joshua, Raghav,=0A> =0A> Good to see more guides like this. In ad=
dition to what others have=0A> already pointed out, I've got few readabil=
ity suggestions, reading this as a=0A> layperson :) (Questions are intent=
ended to be rhetorical, to illustrate=0A> where a layperson might have qu=
estions or be confused.)=0A =0AThanks so much for you proof-reading! I'l=
l update and push a new patch!=0A =0A> Also, consider referencing relevan=
t sections of the manual, such as=0A> =0A> https://guix.gnu.org/manual/en=
/html_node/Manual-Installation.html=0A> =0A> so users know where to find =
more detailed information.=0A =0AThat is an awesome idea! I will do so!=
=0A=0A> Hope that helps,=0A> Sarah
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.